b'Highlights\nTable of Contents\n\n\n\n\n                    Topeka, KS,\n                    Material\n                    Distribution\n                    Center \xe2\x80\x93\nFindings\n\n\n\n\n                    Information\n                    Technology\n                    Logical Access\n                    Controls\nRecommendations\n\n\n\n\n                    Audit Report\n                    Report Number\n                    IT-AR-14-007\n                    July 11, 2014\nAppendices\n\n\n\n\n                                     Print\n\x0cHighlights\nTable of Contents\n\n\n\n\n                    Highlights                                       Background                                                              on any of the 14\xc2\xa0servers or configure three database servers in\n                                                                                                                                             accordance with security standards. In addition, the MDC did\n                                                                     The Material Distribution Center (MDC) in Topeka, KS, provides\n                                                                                                                                             not use                  software on two servers or adequately\n                                                                     critical and essential services to all U.S. Postal Service facilities\n                                                                                                                                             protect                       server from unauthorized use.\n                                                                     such as parts, equipment, supplies, and print services. The\n                         These security weaknesses                                                                                           These security issues occurred because administrators were\n                                                                     MDC distributes materials to about 31,000 facilities, and it\n                                                                                                                                             focused on other priorities, such as configuring applications\nFindings\n\n\n\n\n                        could result in unauthorized                 warehouses more than 26,000 items. The MDC uses an\n                                                                                                                                             for the January\xc2\xa02014 postage rate increase and securing\n                                                                     application to manage inventory, including shipment of about\n                                                                                                                                             the environment for credit card activity. In addition, due\n                        access to the check printing                 112 million blank money orders to post offices around the\n                                                                                                                                             to an oversight, management did not ensure that security\n                                                                     country. It also uses a check printing application to print about\n                         and inventory management                                                                                            configurations were reviewed on the web application server.\n                                                                     192,000 payroll checks per month.\n                       applications and modification                                                                                         What The OIG Recommended\n                                                                     Because of the vital services the MDC provides, it is imperative\n                                      of their data.                 that it adhere to Postal Service policies for maintaining and           We recommended management properly configure databases,\nRecommendations\n\n\n\n\n                                                                     securing these applications.                                            verify that the latest approved                   software\n                                                                                                                                             is enabled on operating systems, and develop a process to\n                                                                     Our objective was to determine whether electronic safeguards            ensure security configurations are reviewed on all web servers.\n                                                                     for the check printing and inventory management applications            We are not making a recommendation regarding updating\n                                                                     were operating effectively to protect data from unauthorized            operating systems because management completed corrective\n                                                                     modification, loss, and disclosure. Electronic safeguards               action during the audit.\n                                                                     include operating system updates, database configuration,\n                                                                                software, and web application security.\n\n                                                                     What The OIG Found\nAppendices\n\n\n\n\n                                                                     The MDC did not adequately safeguard the 14 servers\n                                                                     that support the check printing and inventory management\n                                                                     applications, thereby jeopardizing the security of their data.\n                                                                     Specifically, management did not update the operating systems\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                    Print                                  1\n\x0cHighlights\n                    Transmittal Letter\n\n\n                                                                     July 11, 2014\nTable of Contents\n\n\n\n\n                                                                     MEMORANDUM FOR:\t JOHN T. EDGAR\n                                                                     \t\t\t\tVICE PRESIDENT, INFORMATION TECHNOLOGY\n\n\n\n\n                                                                     \t\t\t\t\n\n                                                                     FROM: \t\t\t                  John E. Cihota\n                                                                     \t\t\t\t                       Deputy Assistant Inspector General\n                                                                     \t\t\t\t                        for Finance and Supply Management\n\n                                                                     SUBJECT: \t Audit Report \xe2\x80\x93Topeka, KS, Material Distribution Center \xe2\x80\x93 Information\nFindings\n\n\n\n\n                                                                     Technology Logical Access Controls (Report Number IT-AR-14-007)\n\n                                                                     This report presents the results of our audit of the U.S. Postal Service\xe2\x80\x99s Topeka, KS,\n                                                                     Material Distribution Center Information Technology Logical Access Controls\n                                                                     (Project Number 14BG001IT000).\n\n                                                                     We appreciate the cooperation and courtesies provided by your staff. If you have\n                                                                     any questions or need additional information, please contact Sean D. Balduff, acting\nRecommendations\n\n\n\n\n                                                                     director, Information Technology, or me at 703-248-2100.\n\n                                                                     Attachment\n\n                                                                     cc:\t   Corporate Audit and Response Management\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                          Print               2\n\x0cHighlights\n                    Table of Contents\n                                                                     Cover\n                                                                     Highlights.......................................................................................................1\n                                                                      Background.................................................................................................1\n                                                                      What The OIG Found..................................................................................1\n                                                                      What The OIG Recommended...................................................................1\n                                                                     Transmittal Letter...........................................................................................2\nTable of Contents\n\n\n\n\n                                                                     Findings.........................................................................................................4\n                                                                      Introduction.................................................................................................4\n                                                                      Conclusion..................................................................................................5\n                                                                      Patch Management Compliance.................................................................5\n                                                                              Database Compliance.....................................................................7\n                                                                                             Compliance.......................................................................7\n                                                                      Web Application Compliance......................................................................8\n                                                                     Recommendations........................................................................................9\n                                                                      Management\xe2\x80\x99s Comments..........................................................................9\nFindings\n\n\n\n\n                                                                      Evaluation of Management\xe2\x80\x99s Comments....................................................9\n                                                                     Appendices..................................................................................................10\n                                                                      Appendix A: Additional Information........................................................... 11\n                                                                        Background............................................................................................ 11\n                                                                        Objective, Scope, and Methodology....................................................... 11\n                                                                        Prior Audit Coverage..............................................................................12\nRecommendations\n\n\n\n\n                                                                      Appendix B: Patch Management Compliance Issues...............................13\n                                                                      Appendix C:                   Database Compliance Issues...................................16\n                                                                      Appendix D: Hardening Standards...........................................................17\n                                                                      Appendix E: Web Vulnerabilities Examples..............................................18\n                                                                                                  ...................................................................................18\n                                                                                                                     ................................................................19\n                                                                                                 ....................................................................................20\n                                                                      Appendix F: Sample Selection Summary.................................................21\n                                                                      Appendix G: Management\xe2\x80\x99s Comments...................................................22\nAppendices\n\n\n\n\n                                                                     Contact Information.....................................................................................25\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                               Print                      3\n\x0cHighlights\n                    Findings                                         Introduction\n                                                                     This report presents the results of our self-initiated audit of the U.S. Postal Service\xe2\x80\x99s Topeka, KS, Material Distribution Center\xe2\x80\x99s\n                                                                     (MDC) information technology (IT) logical access controls1 (Project Number 14BG001IT000). Our objective was to determine\n                                                                     whether electronic safeguards for the check printing and inventory management applications were in place and operating\n                                                                     effectively to protect data from unauthorized modification, loss, and disclosure. Electronic safeguards include configuring\n                                                                     databases, updating operating systems, using                        software, and securing web applications. See Appendix A for\n                                                                     additional information about this audit.\nTable of Contents\n\n\n\n\n                                                                     The MDC provides critical and essential services to all Postal Service facilities such as parts, equipment, supplies, and print\n                                                                     services. The MDC distributes materials to about 31,000 facilities, warehouses more than 26,000 items, and manages inventory. In\n                                                                     addition, the MDC annually ships about 112 million blank money orders to post offices around the country.\n\n                                                                     In 1975, the Postal Service added the Label Printing Center (LPC) to the MDC. In June\xc2\xa02013, it changed the LPC\xe2\x80\x99s name to the\n                                                                     National Print Center (NPC) to reflect its mission of consolidating Postal Service print operations into the new center. All print\n                                                                     functions, such as payroll checks and earning statements, are now printed at the NPC. The NPC prints about 192,000 payroll\n                                                                     checks per month and 12 million earning statements per year.\n\n                                                                     The Infoprint Process Director (IPPD)2 is one of the applications used to manage the printing process. Another application, the\n                                                                     Material Distribution and Inventory Management System (MDIMS),3 is used to manage inventory. Because of the vital services the\n                                                                     MDC provides, it is imperative that it adhere to Postal Service policies and procedures for maintaining and securing the IPPD and\nFindings\n\n\n\n\n                                                                     MDIMS applications.\n\n                                                                     The Corporate Information Security Office provides hardening standards4 to support the creation of a strong security infrastructure\n                                                                     and protect Postal Service electronic business applications and sensitive customer and internal data. The primary reason for these\n                                                                     standards is to protect electronic transactions from increasing external (non-employee) and internal (employee) threats, such as\n                                                                     computer           and data modification. These threats can be either malicious or benign.\n\n                                                                     Logical access controls are often built into the operating system or may be part of the logic of application programs. These controls\nRecommendations\n\n\n\n\n                                                                     protect computer systems and data by verifying and validating authorized users, authorizing user access to computer systems and\n                                                                     data, and restricting transactions according to the user\xe2\x80\x99s authorization level.\nAppendices\n\n\n\n\n                                                                     1\t   Electronic controls in computer systems used to prevent or detect unauthorized access such as passwords and account restrictions.\n                                                                     2\t   A database-driven print workflow system that manages all aspects of a printing process. In this case, the application manages the print environment for the NPC.\n                                                                     3\t   A real-time system used to perform material distribution, warehousing, and inventory management business functions for the Postal Service.\n                                                                     4\t   Hardening standards provide security requirements and controls for all information resources. The standards apply to all devices with connectivity to the Postal Service\xe2\x80\x99s\n                                                                          computing infrastructure including, but not limited to, server hardware or devices operating server software, such as databases, operating systems, and servers.\n                                                                      \t\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                                               Print                                                   4\n\x0cHighlights                                                           Conclusion\n                                                                     The MDC did not adequately safeguard any of the 14 servers supporting the IPPD and MDIMS applications to protect against data\n                                                                     modification, loss, and disclosure. Specifically, management did not update the operating systems on any of the 14 servers; did not\n                                                                     configure three database servers in accordance with security standards; did not use                   software on two servers; and\n                                                                     inadequately protected one web application server from unauthorized use. These security issues occurred because administrators\n                                                                     were focusing on other priorities, such as configuring applications for the January 2014 postage rate increase and securing the\n                                                                     environment for credit card activity. In addition, due to an oversight, management did not ensure security configurations were\n                             Servers supporting the                  reviewed on the web application server.\nTable of Contents\n\n\n\n\n                          distribution and inventory                 These security weaknesses could result in unauthorized access to the IPPD and MDIMS applications and modification of their\n                             management of money                     data. We estimated that 75,619 money orders with the potential value of about $76 million are at risk of theft annually due to\n                                                                     inadequate security controls on all 14 servers. Effective security controls increase the probability that the Postal Service will detect\n                         orders were not adequately                  and prevent a data compromise that might negatively affect the confidentiality, integrity, and availability of information resources.6\n\n                                      safeguarded.\n                                                                     Patch Management7 Compliance\n                                                                     Administrators8 did not install the latest operating system software updates on any of the 14 servers that support the IPPD and\n                                                                     MDIMS applications.9\n\n                                                                     Specifically:\nFindings\n\n\n\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0 We identified 14 software security updates that were not installed on the two print servers supporting the IPPD application.\n                                                                        Management decided not to install patches during the normal patch cycle10 due to the holiday season and price rate change.\n                                                                        During our audit, administrators installed all 14 updates on servers in subsequent patch cycles; therefore, we are not making a\n                                                                        recommendation for this issue.\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0 We identified 42 software security updates that were not installed on the 12 servers supporting the MDIMS application.\n                                                                        Management stated that they deferred installation of updates until they upgraded the servers. During our audit, administrators\nRecommendations\n\n\n\n\n                                                                        installed all 42 updates on servers in subsequent patch cycles; therefore, we are not making a recommendation for this issue.\n\n                                                                     See Appendix B for specific details on the update issues related to the IPPD and MDIMS servers.\n\n\n\n\n                                                                     6\t All Postal Service information assets, including information systems, hardware, software, data, and applications.\nAppendices\n\n\n\n\n                                                                     7\t Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems\n                                                                        in software and firmware.\n                                                                     8\t IPPD and MDIMS administrators are in Eagan, MN.\n                                                                      \t\n\n                                                                     10\t The normal patch cycle for deploying                      Server Security patches is                                                . During this period, management\n                                                                         analyzes, tests, and applies (if appropriate) vendor-recommended patches.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                                             Print                                                5\n\x0cHighlights                                                           Table 1 summarizes the 56 software updates the U.S. Postal Service Office of Inspector General\xe2\x80\x99s (OIG) automated scanning\n                                                                     tools determined were missing from one or more of the 14 servers we tested. Table 2 summarizes the 56 updates in Table 1 by\n                                                                     age.\n\n                                                                     Table 1. Missing Critical11 and High-Risk12 Updates\n\n                                                                                                   Number\n                                                                      Application                 Of Servers                 Operating              Third                               Total Unique\n                                                                      Name                         Affected                   System1               Party2        Database3            Vulnerabilities\nTable of Contents\n\n\n\n\n                                                                      IPPD                                 2                        8                   6                0                      14\n                                                                      MDIMS                               12                        5                  23               14                      42\n                                                                      TOTAL                               14                       13                  29               14                      56\n                                                                      Source: OIG Nessus and GFI LanGuard scanning tool results\n                                                                      1 A software that manages all other programs running on a computer.\n                                                                      2 Programs developed by companies other than the company that developed the computer\xe2\x80\x99s operating system.\n                                                                      3 Database software describes any software designed for creating databases and managing the information stored in them.\n\n\n                                                                     Table 2. Missing Updates By Age\n\n                                                                      Application\n                                                                      Name                                               Update Age\n                                                                                                                    31-60         61-90       91+\nFindings\n\n\n\n\n                                                                                                0-30 days1          days          days        days        TOTAL\n                                                                      IPPD                            4               6             0          4             14\n                                                                      MDIMS                           3               0             2          37            42\n                                                                      TOTAL                           7               6             2          41            56\n                                                                      Source: OIG Nessus and GFI LanGuard scanning tool results\n                                                                      1 The vendor recommends that critical patches be applied immediately.\nRecommendations\n\n\n\n\n                                                                     As a result, the IPPD and MDIMS applications did not have adequate safeguards in place to protect applications and data from\n                                                                     damage or compromise. Managing updates are critical for ensuring the integrity and reliability of information resources. Untimely\n                                                                     installation of updates could allow an attacker to run malware13 or obtain sensitive information.\nAppendices\n\n\n\n\n                                                                     11\t A rating that an IT vendor (such as Microsoft) assigns to communicate the severity of a security weakness. In this case, a critical rating means the worst scenario could\n                                                                         occur, such as a system being hacked. The vendor recommends the customer apply the update immediately.\n                                                                     12\t A rating that an IT vendor assigns to communicate the severity of the risk. In this case, it evaluates the level of risk associated with the security risk. The vendor\n                                                                         recommends the customer apply the update at the earliest opportunity.\n                                                                     13\t Malware is software programs designed to damage or perform unwanted actions to a computer system.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                                                     Print                                           6\n\x0cHighlights                                                                             Database Compliance\n                                                                                  database administrators14 improperly configured three of five15 database servers supporting the MDIMS application.\n                                                                          Specifically, we identified 15 unique security settings that were not configured in accordance with Postal Service hardening\n                                                                          standards.16 See Appendix C for specific details on the configuration issues related to the MDIMS application databases.\n                                                                          Administrators did not properly configure the servers after the Postal Service revised its hardening standards in June 2013\n                                                                          because they had other priorities, such as configuring a secure enclave17 to comply with Payment Card Industry Security\n                                                                          Standards.18 When databases are not configured correctly, a person could read and, accidentally or intentionally, change, add,\n                      Inventory management servers                        or delete an order for supplies such as blank money order stock entered into MDIMS. As a result, we estimated 151,238 money\nTable of Contents\n\n\n\n\n                                                                          orders with the potential value of about $151\xc2\xa0million are at risk of theft over 2\xc2\xa0years due to inadequate security controls on the\n                     had                                      disabled,\n                                                                          14 servers.\n\n                                                                                                          Compliance\n                                                                          We determined that two of the 12 application servers we tested supporting the MDIMS application did not have approved and\n                                                                                                     enabled on the           operating system. See Appendix D for a summary of the security compliance\n                                                                          settings we reviewed. This occurred because administrators decided to disable the                   software on the two servers\n                                                                          because they thought it was incompatible with MDIMS; however, the administrators did not confirm that the\n                                                                          software was incompatible, nor did they install                   software on these servers.\n\n                                                                                                                          During our audit administrators began running tests to re-enable                                       software on the\nFindings\n\n\n\n\n                                                                          two application servers.\nRecommendations\nAppendices\n\n\n\n\n                                                                          14\t       database administrators are in Raleigh, NC.\n                                                                          15\t We performed       database scans on the three databases that were classified as production databases for MDIMS.\n\n                                                                          16\t Security Hardening Standards for\n                                                                          17\t An enclave is a network area where special protections and access controls, such as firewalls and routers, are used to secure information resources.\n                                                                          18\t A set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.\n                                                                          19\t Security Standards for\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                                                 Print                                         7\n\x0cHighlights                                                           Web Application Compliance\n                                                                                                          Servers20 supporting the MDIMS application was not adequately protected from unauthorized\n                                                                     modification, loss, and disclosure. Specifically, we identified security weaknesses as follows:\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0\n\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0\nTable of Contents\n\n\n\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0\n\n\n                                                                     These vulnerabilities existed because management did not ensure a security code review24 was performed and documented on\n                                                                     MDIMS. As a result, an unauthorized person could obtain sensitive data and compromise IT security.\nFindings\nRecommendations\n\n\n\n\n                                                                     20\t Provides the environment to run web-enabled applications. This development server was replicated from the production server specifically for our testing because of the\n                                                                         possibility of corrupting the production environment with script injection and parameter manipulation.\nAppendices\n\n\n\n\n                                                                                                        \xc2\xa0\n                                                                     24\t A security code review is an analysis of the source code and documentation to verify compliance with software design documents and programming standards and the\n                                                                         absence of malicious code.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                                            Print                                                  8\n\x0cHighlights\n                    Recommendations                                     We recommend the vice president, Information Technology, direct the manager, Solutions Development and Support, to:\n\n                                                                        1.\t Configure and update all database servers that support the Material Distribution and Inventory Management System\n                                                                            application.\n\n                                                                        2.\t Verify the latest approved                   software is enabled on all servers supporting the Material Distribution and\n                                                                            Inventory Management System application.\n\n                       We recommend management                          3.\t Review security codes on all web servers that support the Material Distribution and Inventory Management System application.\nTable of Contents\n\n\n\n\n                       properly configure databases;\n                                                                        Management\xe2\x80\x99s Comments\n                       verify the latest and approved\n                                                                        Management agreed with all the findings and recommendations in the report and disagreed with our estimated other impact of\n                                                           is enabled   $151.2 million.\n\n                          on operating systems; and                     In response to recommendation 1, management will configure and update all databases that support the MDIMS application.\n                                                                        Management\xe2\x80\x99s target implementation date is March 31, 2015.\n                        develop a process to ensure\n                                                                        In response to recommendation 2, management initiated a project to re-enable the                       software on the impacted\n                         security configurations are\n                                                                        MDIMS servers. Management\xe2\x80\x99s target implementation date is August 31, 2014.\n                        reviewed on all web servers.\n                                                                        In response to recommendation 3, management are currently remediating vulnerabilities identified in our report and will perform\nFindings\n\n\n\n\n                                                                        code reviews on MDIMS servers. Management\xe2\x80\x99s target implementation date is August 31, 2014.\n\n                                                                        Management disagreed with the amount of potential risk that exists in the MDIMS and the value of money orders at risk of being\n                                                                        fraudulently cashed due to inadequate security controls. Further, management believe that existing controls significantly reduce\n                                                                        the risk associated with this estimated cost, including a reconciliation process performed at the accounting service center that\n                                                                        identifies money orders sold with invalid serial numbers.\nRecommendations\n\n\n\n\n                                                                        See Appendix G for management\xe2\x80\x99s comments, in their entirety.\n\n                                                                        Evaluation of Management\xe2\x80\x99s Comments\n                                                                        The OIG considers management\xe2\x80\x99s comments responsive to the recommendations and corrective actions should resolve the issues\n                                                                        identified in the report.\n\n                                                                        Regarding management\xe2\x80\x99s disagreement with our estimate of potential risk that exists in the MDIMS, the OIG\xe2\x80\x99s calculation of\n                                                                        potential risk considered controls that prevent fraud from occurring. Management refers to the money order reconciliation process\n                                                                        as a compensating control; however, this process is a detective control that identifies fraudulently issued and cashed money\n                                                                        orders after the fraud has occured. Therefore, we believe our estimated value of about $151 million for money orders at risk is\n                                                                        reasonable.\nAppendices\n\n\n\n\n                                                                        The OIG considers recommendations 2 and 3 significant, and therefore requires OIG concurrence before closure. Consequently,\n                                                                        the OIG requests written confirmation when corrective actions are completed. These recommendations should not be closed in the\n                                                                        Postal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation that the recommendations can be closed.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                  Print                                     9\n\x0cHighlights\n                    Appendices\n                                                                     Appendix A: Additional Information........................................................... 11\n                                                                      Background............................................................................................ 11\n                                                                      Objective, Scope, and Methodology....................................................... 11\n                                                                      Prior Audit Coverage..............................................................................12\n                          Click on the appendix title                Appendix B: Patch Management Compliance Issues...............................13\n                                                                     Appendix C:            Database Compliance Issues...................................16\nTable of Contents\n\n\n\n\n                        to the right to navigate to the\n                                                                     Appendix D: Hardening Standards...........................................................17\n                                   section content.                  Appendix E: Web Vulnerabilities Examples..............................................18\n                                                                                          ...................................................................................18\n                                                                                                             ................................................................19\n                                                                                         ....................................................................................20\n                                                                     Appendix F: Sample Selection Summary.................................................21\n                                                                     Appendix G: Management\xe2\x80\x99s Comments...................................................22\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                        Print                     10\n\x0cHighlights          Appendix A:                                      Background\n                    Additional Information                           The MDC is a roughly 950,000 square foot warehouse for more than 26,000 different parts, pieces of equipment, and supplies.\n                                                                     The MDC performs print services, material distribution, and inventory management for about 31,000 facilities the Postal Service\n                                                                     manages. The MDC consists of the following centers:\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0 The NPC, which prints more than 95 million pages of documents per year, such as manuals, payroll checks, and earning\n                                                                        statements.\nTable of Contents\n\n\n\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0 The MDC, which processes more than 3.8 million postal-related orders per year, such as parts and supplies.\n\n                                                                     \xe2\x96\xa0\xe2\x96\xa0 The Inventory Control Center, which manages inventory for the Postal Service.\n\n                                                                     In support of operations, MDC employees and customers use roughly 15 applications to conduct business.\n\n                                                                     The Postal Service has information security policies to protect applications and data from unauthorized use and modification,\n                                                                     including logical controls for protecting applications and information.\n\n                                                                     Objective, Scope, and Methodology\n                                                                     Our objective was to determine whether electronic safeguards, such as configuring databases, updating operating systems, using\n                                                                                     software, and securing web applications, were in place and operating effectively to protect data from the check\nFindings\n\n\n\n\n                                                                     printing and inventory management applications against unauthorized modification, loss, and disclosure. We used AppDetective,25\n                                                                     GFI LanguardTM,26 Nessus\xc2\xae,27 and Hewlett-Packard WebInspect28 to accomplish our objective.\n\n                                                                     We performed our work at the Information Technology Service Center in Eagan, MN, and the MDC in Topeka, KS. Our assessment\n                                                                     included a review of two IPPD servers and 12\xc2\xa0MDIMS servers. We selected the IPPD application because it manages all printers\n                                                                     in the NPC that print documents containing sensitive information, such as birth dates and salaries. In addition, we selected the\n                                                                     MDIMS application because of the inherent risk associated with using this application to ship blank money order stock to post\nRecommendations\n\n\n\n\n                                                                     offices throughout the country. We assessed these servers for vulnerabilities and compliance with Postal Service information\n                                                                     security policies and standards. Additionally, we interviewed Postal Service IT staff, assessed scan results, and provided our\n                                                                     assessment to Postal Service administrators. See Appendix F for servers tested.\n\n                                                                     We conducted this performance audit from November 2013 through July 2014, in accordance with generally accepted government\n                                                                     auditing standards and included such tests of internal controls as we considered necessary under the circumstances. Those\n                                                                     standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\n                                                                     our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for\n                                                                     our findings and conclusions based on our audit objective. We discussed our observations and conclusions with management on\n                                                                     June 11, 2014, and included their comments where appropriate.\nAppendices\n\n\n\n\n                                                                     25\t A network-based discovery and vulnerability scanner that discovers database applications within the infrastructure and assesses their security strength. It scans\n                                                                         databases for vulnerabilities, configuration issues, weak passwords, missing patches, access control concerns, and other issues that can lead to user privilege escalation.\n                                                                     26\t A network security scanner and patch management tool that allows the ability to scan, detect, assess, and rectify security vulnerabilities.\n                                                                     27\t A vulnerability and configuration assessment product that features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch\n                                                                         management integration, and vulnerability analysis.\n                                                                     28\t An automated and configurable web application security and penetration testing tool that mimics real-world hacking techniques and attacks, enabling the user to\n                                                                         thoroughly analyze complex web applications and services for security vulnerabilities.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                                             Print                                               11\n\x0cHighlights                                                           We assessed the reliability of operating system and database configuration data by performing electronic testing of the hosts,\n                                                                     reviewing resultant data for false positives and other anomalies, and interviewing agency officials knowledgeable about the data.\n                                                                     We determined that the data were sufficiently reliable for the purposes of this report.\n\n                                                                     Prior Audit Coverage\n                                                                                          Report          Final Report\n                                                                     Report Title         Number          Date             Monetary Impact\n                                                                     Fiscal Year 2012\nTable of Contents\n\n\n\n\n                                                                     Information            IT-AR-13-003 1/28/2013            None\n                                                                     Technology\n                                                                     Internal Controls\n                                                                     Report Results: The infrastructure-level internal controls we tested were properly\n                                                                     designed and generally operating effectively; however, we identified several\n                                                                     opportunities to strengthen certain infrastructure-level internal controls. Specifically,\n                                                                     management could strengthen security monitoring of operating system and database\n                                                                     activity, better segregate duties for administrators, ensure effective use of intrusion\n                                                                     detection and prevention software, and improve the process for monitoring UNIX\n                                                                     and Windows server compliance with operating system configuration requirements.\n                                                                     The control weaknesses identified, alone or collectively, did not prevent reliance\n                                                                     on infrastructure-level internal controls for the accuracy and timeliness of financial\n                                                                     reporting. Management agreed with the findings and recommendations.\n                                                                     Fiscal Year 2011\n                                                                     Information            IT-AR-12-003 1/9/2012             None\nFindings\n\n\n\n\n                                                                     Technology\n                                                                     Internal Controls\n                                                                     Report Results: The infrastructure level internal controls we tested were properly\n                                                                     designed and were generally operating effectively; however, we identified opportunities\n                                                                     for management to strengthen certain internal controls over operating systems,\n                                                                     databases, data transfer services, job scheduling, and data backup and restoration\n                                                                     operations. In addition to the issues identified in Fiscal Year (FY) 2011, we reported on\n                                                                     the status of unresolved issues from the FY 2010 review. Management agreed with the\n                                                                     recommendations.\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                 Print                               12\n\x0cHighlights          Appendix B:                                      Table 3 describes software updates for the vulnerabilities detailed in Table 1 relevant to the IPPD application. During our\n                                                                     audit, management took corrective action on all critical and high-risk updates noted in Table 4 for the                     and\n                    Patch Management\n                                                                                        servers.\n                    Compliance Issues\n                                                                     Table 3: Software Updates - Topeka IPPD\n\n                                                                     No. Missing Critical and High-Risk Updates                                Risk Factor\n\n                                                                       1                                                                         Critical\nTable of Contents\n\n\n\n\n                                                                       2                                                                         Critical\n\n                                                                       3                                                                         Critical\n\n                                                                       4                                                                         Critical\n\n                                                                       5                                                                          High\n\n                                                                       6                                                                         Critical\n\n                                                                       7                                                                          High\nFindings\n\n\n\n\n                                                                       8                                                                         Critical\n\n                                                                       9                                                                         Critical\n                                                                      10                                                                          High\n                                                                      11                                                                          High\n\n                                                                      12                                                                          High\nRecommendations\n\n\n\n\n                                                                      13                                                                         Critical\n                                                                      14                                                                          High\n                                                                     Source: OIG Nessus and GFI LanGuard scanning tool results.\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                 Print                                 13\n\x0cHighlights                                                           Table 4 describes software updates shown in Table 1 relevant to the MDIMS application. During our audit, management took\n                                                                     corrective action on all critical and high-risk updates noted in the table below for the following servers:\nTable of Contents\n\n\n\n\n                                                                     Table 4: Software Updates - MDIMS\n\n                                                                      No.   Missing Critical and High-Risk Updates                                    Risk Factor\n\n                                                                       1                                                                                Critical\n\n                                                                       2                                                                                 High\n\n                                                                       3                                                                                 High\n\n                                                                       4                                                                                 High\nFindings\n\n\n\n\n                                                                       5                                                                                Critical\n                                                                       6                                                                                 High\n                                                                       7                                                                                Critical\n                                                                       8                                                                                Critical\n                                                                       9                                                                                 None\nRecommendations\n\n\n\n\n                                                                       10                                                                                High\n                                                                       11                                                                               Critical\n                                                                       12                                                                               Critical\n                                                                       13                                                                               Critical\n                                                                       14                                                                               Critical\n                                                                       15                                                                               Critical\n                                                                       16                                                                               Critical\n                                                                       17                                                                               Critical\n                                                                       18                                                                               Critical\n                                                                       19                                                                               Critical\nAppendices\n\n\n\n\n                                                                       20                                                                               Critical\n                                                                       21                                                                               Critical\n                                                                       22                                                                               Critical\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                           Print                                14\n\x0c                                                                      No.     Missing Critical and High-Risk Updates     Risk Factor\nHighlights\n                                                                       23                                                  Critical\n                                                                       24                                                  Critical\n                                                                       25                                                   High\n                                                                       26                                                   High\n                                                                       27                                                   High\n                                                                       28                                                   High\n                                                                       29                                                  Critical\nTable of Contents\n\n\n\n\n                                                                       30                                                  Critical\n                                                                       31                                                  Critical\n                                                                       32                                                  Critical\n                                                                       33                                                  Critical\n                                                                       34                                                  Critical\n                                                                       35                                                  Critical\n                                                                       36                                                  Critical\n                                                                       37                                                  Critical\n                                                                       38                                                  Critical\n                                                                       39                                                  Critical\n                                                                       40                                                  Critical\nFindings\n\n\n\n\n                                                                       41                                                  Critical\n                                                                       42                                                  Critical\n                                                                     Source: OIG Nessus and GFI LanGuard scan results.\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                              Print    15\n\x0cHighlights          Appendix C:                                      Table 5 summarizes 15 unique compliance checks and configurations that the OIG\xe2\x80\x99s automated scans determined were not\n                          Database                                   compliant with the Security Hardening Standards for                 Databases. For example, server                profile\n                    Compliance Issues                                was not configured to                               as specified in the hardening standards.\n\n                                                                     Table 5.                  Database Compliance Issues \xe2\x80\x93 MDIMS Application\n\n                                                                                         Vulnerability Checks and\n                                                                     Category            Noncompliance Issues Description                       MDIMS Application\nTable of Contents\n\n\n\n\n                                                                     Profiles\n                                                                                                                                     x                   x                   x\n                                                                                                                                     x                   x                   x\n                                                                     Startup Parameter Settings\n                                                                                                                                     x                   x                   x\n                                                                                                                                     x                   x                   x\n                                                                                                                                     x                   x                   x\n                                                                     Restrict Network Access\n                                                                                                                                     x                   x                   x\nFindings\n\n\n\n\n                                                                     General Application Configuration Requirements\n                                                                                                                                     x                   x                   x\n                                                                                                                                     x                   x                   x\n\n                                                                                                                                     x                   x                   x\n\n                                                                                                                                     x                   x                   x\nRecommendations\n\n\n\n\n                                                                                                                                     x                   x                   x\n\n                                                                                                                                     x                   x                   x\n                                                                                                                                     x                   x                   x\n                                                                     Use of Roles\n                                                                                                                                     x                   x                    x\n                                                                                                                                     x                   x                    x\n                                                                                         Total                                      15                  15                   15\n                                                                     Source: AppDetective and Nessus scanning tools results.\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                             Print                               16\n\x0cHighlights          Appendix D:                                      Table 6 summarizes the compliance checks that the OIG performed to determine if servers running the                   operating system\n                                                                     were compliant with Postal Service hardening standards. The \xe2\x80\x9c\xe2\x97\x8f\xe2\x80\x9d in the table identifies those servers that were compliant with\n                    Hardening Standards\n                                                                     hardening standards. The \xe2\x80\x9c\xe2\x96\xa0\xe2\x80\x9d in the table identifies those servers that were not compliant with hardening standards. Specifically,\n                                                                     our scans identified two servers,                  and                   , that did not have an approved\n                                                                               software enabled. Both servers had the                                      version                installed, but the\n                                                                     software was not enabled. In addition, the servers did not have version             or version      installed. In its security advisory\n                                                                                 , the vendor recommends that an agency such as the Postal Service install version               or version         .\n\n                                                                     Table 6. MDIMS Application Servers running                            operating system\nTable of Contents\n\n\n\n\n                                                                                                                                  SERVER NAME\n\n\n\n\n                                                                            COMPLIANCE CHECK\n                                                                       Password Management\n                                                                       Enforced Password History\n                                                                       Maximum Password Age\n                                                                       Minimum Password Age\nFindings\n\n\n\n\n                                                                       Minimum Password Length\n                                                                       Default Accounts Locked/\n                                                                       Password Changed\n                                                                       Audit Policy\n                                                                       Audit Account Logon Events\n                                                                       Audit Account Management\n                                                                       Audit Directory Service Access\nRecommendations\n\n\n\n\n                                                                       Audit Logon Events\n                                                                       Audit Object Access\n                                                                       Audit Policy Change\n                                                                       Audit Privilege Use\n                                                                       Audit Process Tracking\n                                                                       Audit System Events\nAppendices\n\n\n\n\n                                                                     Source: OIG Nessus and GFI LanGuard scanning tools results\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                  Print                                  17\n\x0cHighlights          Appendix E:\n                    Web Vulnerabilities\n                    Examples\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                                                                     29\tA worldwide organization focused on improving the security of software.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                  Print   18\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                     Print   19\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                                                                     31\t A global management consulting firm focused on information security.\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                Print   20\n\x0cHighlights          Appendix F:                                      Table 7 identifies the 14 servers we judgmentally selected for testing and the associated application or function residing on each\n                                                                     server. We used automated scanning tools to evaluate each server\xe2\x80\x99s security.\n                    Sample Selection Summary\n                                                                     Table 7. Servers/Applications/Functions\n\n                                                                                Operating\n                                                                       No.      System               IP Address   Server Name      Application/Function\n                                                                        1                                                          IPPD Print Server\n                                                                        2                                                          IPPD Print Server\nTable of Contents\n\n\n\n\n                                                                        3                                                          MDIMS Database Server\n                                                                        4                                                          MDIMS Database Server\n                                                                        5                                                          MDIMS Application Server\n                                                                        6                                                          MDIMS Application Server\n                                                                        7                                                          MDIMS Application Server\n                                                                        8                                                          MDIMS Application Server\n                                                                        9                                                          MDIMS Database Server\n                                                                       10                                                          MDIMS Database Server\n                                                                       11                                                          MDIMS Application Server\n                                                                       12                                                          MDIMS Web Server\n                                                                       13                                                          MDIMS Web Server\nFindings\n\n\n\n\n                                                                       14                                                          MDIMS Database Server\n                                                                     Source: Servers selected for audit by OIG.\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                                                Print                                     21\n\x0cHighlights          Appendix G:\n                    Management\xe2\x80\x99s Comments\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                     Print   22\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                     Print   23\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                     Print   24\n\x0cHighlights\nTable of Contents\nFindings\n\n\n\n\n                                                                        Contact us via our Hotline and FOIA forms, follow us on social\n                                                                     networks, or call our Hotline at 1-888-877-7644 to report fraud, waste\n                                                                                            or abuse. Stay informed.\nRecommendations\n\n\n\n\n                                                                                           1735 North Lynn Street\n                                                                                          Arlington, VA 22209-2020\n                                                                                                (703) 248-2100\nAppendices\n\n\n\n\n                    Topeka, KS, Material Distribution Center \xe2\x80\x93\n                    Information Technology Logical Access Controls\n                    Report Number IT-AR-14-007\n                                                                                                                                              Print   25\n\x0c'